Trouble with glibc

Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at problems in the standard C library libc and in xinetd, hylafax, pServ, UnAce, Quagga, Zebra, terminatorX, and omega-rpg.

glibc, AKA GNU libc

Two security bugs have been found in the glibc package that contains the GNU libc standard C library. These bugs include a buffer overflow in getgrouplist() and a problem in the kernel netlink interface.

The buffer overflow in getgrouplist() only affects users when they have been assigned to an unusually high number of groups, but it could cause a security problem under some circumstances.

In some versions of the GNU libc library, the function getifaddrs() can accept spoofed kernel netlink messages and could result in a denial-of-service condition.

Red Hat has released updated glibc packages for Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9. Users of other systems should watch their vendors for an update.

xinetd

xinetd is a replacement for the inetd superserver. A new version has been released that fixes several bugs, including a memory leak that occurs when a connection is refused by xinetd. This memory leak could be used by a remote attacker in a denial-of-service attack against a server.

Users should upgrade to version 2.3.12 of xinetd as soon as possible. Conectiva has released updated packages for Conectiva Linux 7.0, 8, and 9, and SuSE Linux.

hylafax

hylafax, an enterprise-class, open source fax server software package used to send and facsimiles and alphanumeric pages, is vulnerable, under some conditions, to a bug that can be exploited by a remote attacker to execute arbitrary code with root permissions. The bug can only be exploited if the 0x002 bit for the ServerTracing function is set. ServerTracing is not turned on by default, but is commonly set during troubleshooting.

All users of hylafax should turn off ServerTracing and then upgrade as soon as possible to the 4.1.8 patch-level code release. Repaired packages have been released for Mandrake Linux 9.0, 9.1, 9.2, and Corporate Server 2.1; Conectiva Linux 9; and SuSE Linux 7.3, 8.0, 8.1, 8.2, and 9.0.

pServ

pServ (pico Server) is a small web server coded in C with the goal of being very portable. Version 2.0.x of pServ is vulnerable to a remote attack that overflows a buffer and, in some circumstances, results in arbitrary code being executed with the permissions of the user running the web server. A script to automate the exploitation of this buffer overflow has been released to the public.

Users should watch for a repaired version.

UnAce

UnAce, a utility to extract, view, and test the contents of an ACE archive, contains a buffer overflow in the code that handles the filenames of ACE archive files. Exploiting the buffer overflow can result in arbitrary code bring executed with the permissions of the user running UnAce. Under some conditions, exploiting this buffer overflow could lead to a vulnerability; for example, if a remote user can specify a filename for extraction with UnAce. The buffer overflow is reported affect versions of UnAce through 2.20.

Affected users should upgrade when a repaired version becomes available.

Quagga and Zebra

Quagga, a routing software suite (forked from Zebra) that provides implementations of OSPFv2, OSPFv3, RIP v1 and v2, RIPv3, and BGPv4 for Unix platforms, is vulnerable to a remote denial-of-service attack when the attacker can send packets to the command-line interface for the daemon. The attacker triggers the denial-of-service attack by sending a malformed packet during the telnet negotiation phase, causing Quagga to reference a null pointer and crash. This vulnerability affects all versions of Quagga prior to version 0.96.4, and GNU Zebra.

Affected users should upgrade to Quagga version 0.96.4 as soon as possible and should consider limiting access to the command-line interface of Quagga using a tool such as a firewall. A temporary workaround for this vulnerability, under some conditions, is to add -A 127.0.0.1 to the daemon's startup script, causing it to only accept connections from the local host. Red Hat has released an updated Zebra package that repairs this problem for Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9.

terminatorX

terminatorX is a realtime audio synthesizer that can be used to "scratch" digitally sampled audio data, similar to the way that DJs scratch vinyl records. terminatorX is reported to be vulnerable to three buffer overflows and a format-string bug. The buffer overflows are reported to be exploitable by a local attacker to gain root permissions. Scripts to automate the exploitation of these vulnerabilities have been released to the public. Versions of terminatorX through 3.8.1 are reported to be vulnerable.

Users should watch for a repaired version of terminatorX and if it is installed on a multiuser system, users should consider removing the package until it has been repaired.

omega-rpg

omega-rpg, a text-based role playing game, is vulnerable to a buffer overflow in code that handles some environmental variables. If the game is installed with any set user or set group id bits (some distributions often install games set group id games), exploiting this buffer overflow can result in the attacker gaining additional permissions.

It is recommended that users remove any set user id and set group id bits that may be set on omega-rpg and watch for a repaired version. Debian has released a repaired version for Debian GNU/Linux 3.0 (alias woody).